Microsoft ATA

When you configure your Microsoft Advanced Threat Analytics (ATA) to send log data to USM Appliance, you can use the Microsoft-ata plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor Microsoft
Device Type Threat Analytics
Connection Type Syslog
Data Source Name microsoft-ata
Data Source ID 1850

Integrating Microsoft Advanced Threat Analytics (ATA)

To configure Microsoft ATA to send Syslog messages to USM Appliance

  1. On the ATA Center server, click the Microsoft Advanced Threat Analytics Management icon on the desktop and log in.
  2. Select the Settings option on the toolbar and choose Configuration.
  3. Under the Configure syslog notifications section, select Syslog server and fill out the fields

    • Syslog server endpoint — enter the IP of USM Appliance and port 514 if you're using UDP, or 601 if you're using TCP.
    • Transport — select UDP, TCP, or TLS
    • Format — select RFC 3164

  4. Click Save.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://docs.microsoft.com/en-us/advanced-threat-analytics/setting-syslog-email-server-settings

For troubleshooting, refer to the vendor documentation:

https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs